Effective Date: January 10, 2025

This Data Processing Agreement (“DPA”) is by and between Steelhead Technologies In (“Processor”) and the company or entity placing an order for, or accessing, any Company Services (“Controller”) and supplements and amends the terms and conditions of that certain agreement between the Processor and Controller (the “Agreement”).  This DPA shall be incorporated into and become a part of the Agreement. This DPA shall be coterminous with the Agreement. In the event that any provisions of this DPA conflict with the terms of the Agreement between the parties, the provisions of this DPA shall govern. Except as otherwise provided herein, the Agreement between the parties shall remain in full force and effect.

1.       Definitions. Terms used in this DPA shall have the meaning indicated below unless otherwise defined in this DPA or the Agreement.

1.1       “Business Purpose” means use of Personal Data for (i) performing services on behalf of Controller, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of Controller; (ii) auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards, (iii) helping to ensure security and integrity to the extent the use of the Data Subject’s Personal Data is reasonably necessary and proportionate for these purposes; (iv) debugging to identify and repair errors that impair existing intended functionality; (v) short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a Data Subject’s current interaction with Controller, provided that the Data Subject’s Personal Data is not disclosed to another third party and is not used to build a profile about the Data Subject or otherwise alter the Data Subject’s experience outside the current interaction with the Controller; (vi) providing advertising and marketing services, except for cross-context behavioral advertising, to the Data Subject’s provided that, for the purpose of advertising and marketing, Processor shall not combine the Personal Data of opted-out consumers that Processor receives from, or on behalf of, Controller with Personal Data that Processor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers; (vii) undertaking internal research for technological development and demonstration; and (viii) undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by Processor, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by Processor.

1.2       “Controller Personal Data” shall mean the Personal Data described in Schedule 1 of this DPA, in respect of which Controller is the Controller and which is provided to Processor by or on behalf of Controller and Processed by Processor.

1.3       “Controller” has the meaning given in Data Protection Requirements from time to time. A Controller may also be referred to as a Business under Data Protection Requirements.

1.4       “Data Protection Requirements” shall mean any laws or regulations applicable to the Processing of Personal Data (or similar term under the applicable law or regulation) to which Processor or Controller is subject, including, without limitation, the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-1798.199) (“CCPA”), the California Consumer Privacy Rights Act ("CPRA," and together with CCPA, "CCPA/CPRA"), the California Online Privacy Protection Act ("COPPA"), the California Consumer Records Act (“Shine the Light Law”), and the data breach notification and reporting laws which may apply based upon the location of Data Subjects whose Personal Data may be Processed, as they may be amended.

1.5       “Personal Data Breach” has the meaning given in Data Protection Requirements from time to time.

1.6       “Processor” has the meaning given in Data Protection Requirements from time to time. A Processor may also be referred to as a Service Provider under Data Protection Requirements.

1.7       “Subprocessor” means any agent, subcontractor or other third party (excluding its employees) engaged by Processor for carrying out any processing activities on behalf of Controller in respect of the Controller Personal Data.

1.8       “Personal Data”, “Data Subject”, “Process”, “Sell,” and “Share,” will each have the meaning given to them in Data Protection Requirements from time to time. “Personal Data” may also be referred to as Personal Information or Non-Public Personal Information under Data Protection Requirements. “Data Subject” may also be referred to as a Consumer under Data Protection Requirements.

Any other terms that are capitalized but not defined below shall have the meanings set forth in Data Protection Requirements and/or the Agreement, as applicable.

2.       General Provisions.

2.1       General Provisions.

2.1.1      This DPA applies to the Processing of Controller Personal Data. If Data Protection Requirements recognize the roles of “Controller” and “Processor” as applied to Controller Personal Data then, as between Processor and Controller, Controller acts as Controller and Processor acts as a Processor (or Subprocessor, as the case may be) of Controller Personal Data.

2.1.2      Schedule 1 to this DPA sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subject. Processor may make reasonable amendments to Schedule 1 from time to time by sending an updated or an additional Schedule 1 to Controller. Processor shall Process Controller Personal Data for an indefinite term for as long as the Agreement is in effect.

2.2       Controller Obligations.

2.2.1      Controller shall comply with its obligations as a Controller under all applicable laws relating to privacy and data protection in respect of its use of services provided by Processor.

2.2.2      Controller shall provide instructions to the Processor pursuant to this DPA that comply with Data Protection Requirements. Nothing in this DPA relieves Controller of any responsibilities or liabilities under any Data Protection Requirements. Controller may take reasonable and appropriate steps to ensure that Processor uses the Controller Personal Data that it received from, or on behalf of, the Controller in a manner consistent with Controller’s obligations under the Data Protection Requirements. Controller also has the right, upon reasonable advance written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Controller Personal Data; provided such steps shall not interfere with Processor’s regular business operations, shall not require Processor to disclose any trade secrets or confidential information of Processor, its customers or its service providers, contractors or third parties, and that Controller shall bear all related expenses, including any expenses related to business interruptions or other indirect expenses.

2.2.3      The Parties agree that such instructions are contained in the Agreement and this DPA and that Processor may Process Controller Personal Data as necessary to enable Processor to fulfill its obligations to Controller under the Agreement. Any additional or different instructions require a signed agreement between Processor and Controller and may be subject to additional fees.

2.2.4      Controller shall have sole responsibility for the accuracy, quality, and legality of Controller Personal Data and the means by which Controller acquired Personal Data. Controller shall ensure that Controller has the right to transfer, or provide access to, Controller Personal Data to Processor for Processing pursuant to the Agreement and this DPA.

2.2.5      Controller hereby warrants that it has provided all required notices and obtained all required permissions or, if applicable and sufficient under Data Protection Requirements, another valid legal basis, required under Data Protection Requirements for Processor to Process any Personal Data of the Data Subjects specified in Schedule 1 to this DPA. Controller acknowledges that Processor is reliant on Controller for direction as to the extent to which Processor is entitled to Process Controller Personal Data.

2.3       Unless set forth in a statement of work, order, or other document, Controller Personal Data may not include any sensitive or special data that imposes specific data security or data protection obligations on Processor in addition to or different from those specified in any documentation or which are not provided as part of the Agreement or this DPA.

2.4       Processor Obligations.

2.4.1      Processor is receiving Personal Data for the limited and specified purpose to perform services for or on behalf of Controller and as further set forth in this Agreement. Processor will only Process Controller Personal Data as a Processor on behalf of and in accordance with Controller’s prior written instructions, including with respect to transfers of Controller Personal Data, unless Processing is required by Data Protection Requirements to which Processor is subject, in which case Processor shall, to the extent permitted by applicable law, inform Controller of that legal requirement before so Processing that Controller Personal Data.

2.4.2      Processor shall process Personal Data in compliance with the obligations placed on it under Data Protection Requirements and the terms of this DPA. Processor will inform Controller if, in its opinion, an instruction from Controller infringes the Data Protection Requirements, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; provided, however, Processor is not responsible for performing legal research and/or for providing legal advice to Controller.

2.4.3      In addition to any non-conflicting terms contained in the Agreement, Processor shall: (i) not Sell or Share Controller Personal Data; (ii) not retain, use, or disclose Controller Personal Data for any other purpose, other than for the Business Purpose specified in this DPA, including retaining, using, or disclosing the Controller Personal Data for a commercial purpose other than the Business Purpose specified in this DPA or as otherwise permitted by Data Protection Requirements; (iii) not retain, use, or disclose Controller Personal Data outside of the direct business relationship between the parties, except as may be permitted by the Data Protection Requirements; and (iv) not combine the Controller Personal Data that it receives from, or on behalf of, Controller with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a Data Subject, provided that Processor may combine Personal Data to perform any business purpose as defined in regulations adopted pursuant to Data Protection Requirements and in regulations adopted by a governmental authority. Processor shall notify Controller if it determines that it can no longer meet its obligations under the Data Protection Requirements. 

2.4.4      Processor shall treat the Controller Personal Data Processed as confidential and shall not disclose such data to any third parties, except as necessary for Processor to perform its obligations under the Agreement or this DPA, unless authorized by Controller and in accordance with this DPA. In accordance with Data Protection Requirements, Processor shall put procedures in place designed to ensure that all persons acting under its authority entrusted with the Processing of Controller Personal Data (i) have committed themselves to keep such data confidential and not to use such data for any purposes except as permitted under this DPA, or (ii) are under an appropriate contractual or statutory obligation of confidentiality. Processor will further instruct such persons regarding the applicable statutory provisions on data protection and shall ensure that access to Controller Personal Data is limited to those persons with a need to know and as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Requirements in the context of the Processor’s duties to Controller.

3.       International Transfers.

3.1       Processor may Process Personal Data outside of the jurisdiction in which it was collected, transfer such Personal Data across national borders, or permit remote access to the Personal Information by any employee, affiliate, contractor, Subprocessor or other third party; provided, however, Processor agrees to comply with Data Protection Requirements governing the cross-border transfer of Personal Data, including to execute and undertake such compliance mechanisms as may be required by such Data Protection Requirements in order for Processor to transfer Personal Information to such countries or permit remote access in such countries.

4.       Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor has implemented and will maintain appropriate physical, technical and organizational measures designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored, or otherwise Processed. Processor may update its security practices from time to time but will not materially decrease the overall security for so long as Processor Processes or retains Controller Personal Data. Such measures shall include process for regularly testing, assessing and evaluating the effectiveness of the measures. 

5.       Subcontracting Authorization.

5.1       When subcontracting to another Processor entity or a third party, if the subcontractor will Process Controller Personal Data, such subcontractor shall be a Subprocessor and Processor will enter into a binding written agreement with the Subprocessor that imposes on the Subprocessor substantially the same level of restrictions that apply to Processor under this DPA, to the extent that such requirements are applicable to the Processing to be done under such subcontract. A list of Processor current Subprocessors is available upon written request by Controller (“Subprocessor List”). For the avoidance of doubt, this constitutes Controller’s general authorization for Processor’ engagement of Subprocessors and Processor’ appointment of additional Subprocessors or replacement of any Subprocessors identified on the Subprocessor List.

5.2       Processor may add or replace Subprocessors or make updates the Subprocessor List at any time. Controller agrees to subscribe to any mechanisms that Processor may provide for notifications regarding changes to the Subprocessor List. If Controller subscribes to such notifications, Processor will provide details of any change in Subprocessors as soon as reasonably practicable. Controller agrees to provide any objections promptly (in any event no later than fourteen (14) days following any notification or update), provided such objections are based on documented evidence that establish the Subprocessor does not or cannot comply with this DPA or Data Protection Requirements and identify the reasonable data protection basis for the objection (“Objection”), so that Processor can evaluate the Objection and determine any appropriate action.

5.3       In the event of an Objection, Controller and Processor will work together in good faith to find a mutually acceptable resolution to address such Objection, including but not limited to reviewing additional documentation supporting the Subprocessor’s compliance with the DPA or Data Protection Requirements. If Processor is unable to perform its obligations under the Agreement or this DPA (in whole or in part) without use of the new Subprocessor that Controller reasonably objects to and if the parties are unable to resolve Controller’s concerns, Controller may discontinue the part of the services only that Processor is unable to perform without such Subprocessor, upon written notice to Processor. Such discontinuation will be without prejudice to any fees incurred by Controller prior to the discontinuation of the affected services.  If Processor does not receive such notice of Objection, the replacement or addition of a Subprocessor will be deemed to be accepted by Controller.

5.4       Notwithstanding the foregoing, Processor may replace a Subprocessor without advance notice where the reason for the change is outside of Processor’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Processor will inform Controller of the replacement Subprocessor as soon as possible following its appointment. Controller’s objection and termination right in this Section 5 applies accordingly.

5.5       Processor shall remain fully liable to Controller under this DPA for the performance of its Subprocessors to the same extent Processor is liable for its own performance hereunder.

6.       Personal Data Breach Notification.

6.1       Processor will provide Controller notice, in writing, promptly and without undue delay of any Personal Data Breach impacting Controller Personal Data. Any such notification is not an acknowledgement of fault or responsibility. Processor agrees, at Controller’s cost and expense (including fees and expense to compensate Processor and its Subprocessors for their time and out of pocket costs involved in responding to any audit requests), to reasonably cooperate with Controller in Controller's handling of the matter, including without limitation any investigation, reporting or other obligations required by applicable law or regulation, or as otherwise required by Controller, and will work with Controller to otherwise respond to and mitigate any damages caused by the Personal Data Breach. Processor’ prior written approval shall be required for any statements regarding, or references to, the Personal Data Breach or Processor made by Controller in any such notifications. Processor shall not notify any third party of the Personal Data Breach without Controller’s prior written authorization, unless otherwise required by Data Protection Requirements. 

6.2       As information regarding the Personal Data Breach impacting Controller Personal Data becomes available for Processor to disclose to Controller, Processor will provide Controller with information regarding (1) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Controller Personal Data records concerned; (2) summary of measures taken to address or mitigate any possible adverse effects; and (3) other information concerning the Personal Data Breach impacting Controller Personal Data reasonably known or available to Processor that Controller is required to disclose to a governmental authority or Data Subjects under Data Protection Requirements. Except as required by Data Protection Requirements, the obligations in this Section shall not apply to Personal Data Breaches caused by Controller.

7.       Handling of Complaints, Inquiries and Orders. To the extent a Data Subject identifies Controller as the entity that collected its Personal Data, Processor shall notify Controller of the Data Subject’s complaints and inquiries (e.g., regarding the rectification, deletion and blocking of or the access to Personal Data, or any other rights Data Subject has under Data Protection Requirements) (“Data Subject Inquiry”) received by Processor. To the extent Controller does not have the ability to address a Data Subject Inquiry, then at Controller’s cost and expense (including fees and expenses to compensate Processor and its subcontractors for their time and out of pocket costs involved in responding to any request), Processor shall provide assistance to Controller to respond to such Data Subject Inquiry in a timely manner. Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, in the fulfilment of Controller's obligations to respond to Data Subject Inquiry under Data Protection Requirements. Processor shall not independently respond to Data Subject Inquiries without Controller's prior approval, except where required by Data Protection Requirements. The same shall apply to orders and inquiries of courts or regulators. Processor will instruct Data Subjects that do not identify a relevant Controller to contact the correct Controller. Processor shall comply with Controller’s instructions regarding the handling of a Data Subject Inquiry, subject to the terms of Section 2.2 and this Section 7.

8.       Term. The term of this DPA is identical with the term of the Agreement. Save as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the Agreement.

9.       Data Retention. After expiration or termination of this DPA or pursuant to written instructions provided by Controller, Processor shall, in accordance with Processor’s record retention policy and at Controllers cost and expense (including fees and expenses to compensate Processor and its subcontractors for their time and out of pocket costs involved in responding to any request) destroy all copies of Controller Personal Data Processed on behalf of Controller in Processor’ role as a Processor. Processor may retain Controller Personal Data to the extent contained in its electronic data back-up and recovery systems until destroyed in accordance with Processor’s records retention policy or to the extent required by applicable laws only for such period as required by applicable laws, or as necessary to protect its legal rights, and provided that Processor shall protect the confidentiality of all such Controller Personal Data and Process such Controller Personal Data only as necessary for the relevant purpose(s) requiring its storage and for no other purpose.

10.    Invalidity and/or Unenforceability. Should any provision of this DPA be found invalid or unenforceable by a competent court of law, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, should this not be possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.

11.    Liability. Indemnification, liability, limitations of liability and any applicable exclusions under this DPA shall be governed by the Agreement to the extent permitted by Data Protection Requirements.

12.    Corporate Restructuring. Processor may share and disclose Controller Personal Data and other data of Controller in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Processor’s business by or to another company, including the transfer of contact information and data of Controllers, partners and end users.

13.    Information, Audits, and Assistance.

13.1    Processor shall at all times during the term of this DPA keep books and records sufficient to show its compliance with the terms of this DPA. Processor will cooperate in good faith with Controller’s efforts to ensure Processor’s reasonable compliance with this DPA, by making available to Controller, upon Controller’s written request, a copy of Processor’s most recent audit report at Controller’s expense. Such audit report shall be considered Processor’s confidential information. To the extent that Processor’s provision of an audit report does not provide sufficient information for Controller to verify Processor’s compliance with this DPA, and to the extent required by Data Protection Requirements, Processor will, upon Controller’s written request and at Controller’s expense (including fees and expenses to compensate Processor and its subcontractors for their time and out of pocket costs involved in responding to any request), and subject to the confidentiality obligations set forth in the Agreement, to the extent possible, make available to Controller information which Controller considers reasonably necessary to substantiate Processor’ compliance with this DPA and Data Protection Requirements, including completing security and audit questionnaires. Processor may exclude information and documentation that Processor is under obligation to keep confidential to third parties from any such audit or review. Controller may only use such information to confirm Processor’ compliance with this DPA and to assist Controller with complying with its obligations under Data Protection Requirements.  Any requests for information will be with thirty (30) days’ advance notice to Processor, and shall be limited to once per year, unless Controller has reasonable concerns about Processor’s data protection compliance, following a Personal Data Breach or following instruction from a governmental authority.

13.2    To the extent required by Data Protection Requirements and to the extent such documentation provided under Section 13.1 does not provide sufficient information for Controller to verify Processor’s compliance with this DPA, Controller and its representatives, using a third party auditor, shall have the right to carry out on-site audits (no more than once per year and at Controller’s expense (including fees and expenses to compensate Processor and its subcontractors for their time and out of pocket costs involved in responding to any request)), of books, records, personnel and operations of Processor and perform physical and electronic reviews, including a review of Processor’ IT infrastructure security, or review an independent audit provided by Processor, during regular business hours without disrupting the Processor’ business operations and in accordance with the Processor’ security policies in order to monitor Processor’ compliance with the terms of this DPA and its obligations under Data Protection Requirements. Such third party auditor engaged by Controller to conduct an audit must be pre-approved by Processor (such approval not to be unreasonably withheld) and sign Processor’s confidentiality agreement.

13.3    For any audits, Controller must provide Processor with a proposed audit plan at least thirty (30) days in advance of the audit. Information obtained or results produced in connection with an audit are Processor’s confidential information and may only be used by Controller to confirm Processor’s compliance with this DPA and to comply with Controller’s obligations under Data Protection Requirements.

13.4    If requested by Controller solely in order to support Controller’s compliance with Data Protection Requirements, Processor shall provide, at Controller’s expense (including fees and expenses to compensate Processor and its subcontractors for their time and out of pocket costs involved in responding to any request), reasonably required assistance to Controller in ensuring its compliance relating to data protection impact assessments and prior consultation with Supervisory Authorities, taking into account the nature of the Processing and the information available to Processor. All such information provided shall be Processor’s confidential information.

14.    Amendments for Additional Local Data Protection Requirements. To the extent that additional country-specific (or state, regional, provincial, or other geographic area specific) provisions are required under Data Protection Requirements, the parties agree to incorporate such provisions solely to the extent they are required and solely to the extent they are applicable to particular Controller Personal Data processed by Processor.